Adding trusted realms to the cluster

How to specify trusted realms in Cloudera Manager.

The Kerberos instance associated with a given cluster has its REALM-NAME specified as the default_realm in the Kerberos configuration file (krb5.conf) on the cluster's NameNode. Rules defined in the hadoop.security.auth_to_local property translate the Kerberos principals to local account names at the host level (see Hadoop Users (user:group) and Kerberos Principals and Mapping Kerberos Principals to Short Names). The default rules simply remove the @REALM portion of the Kerberos principal and leave the short name.

To allow principals from other realms to use the cluster, the trusted realms must be specified in Cloudera Manager. For example, the Kerberos realm used by your cluster may have a trust relationship to a central Active Directory or MIT Kerberos realm. Add the central realm to the cluster as detailed in the following steps so that Cloudera Manager can apply the appropriate mapping rules to the principals from the trusted realm to access the cluster's services.

To specify trusted realms using Cloudera Manager:

  1. Log in to the Cloudera Manager Admin Console.
  2. Select Clusters > HDFS Service.
  3. Click the Configuration tab.
  4. Select HDFS (Service-Wide) for the Scope filter.
  5. Select Security for the Category filter.
  6. In the Search field, type Kerberos Realms to find the Trusted Kerberos Realms and Additional Rules to Map Kerberos Principals to Short Names settings.
  7. Add other Kerberos realms that the cluster's realm can trust. Use all upper-case letters to specify the REALM name for MIT Kerberos or Active Directory realms:
    ANOTHER-REALM.EXAMPLE.COM
    To add multiple realms, click the plus (+) button.
  8. Click Save Changes.

For each trusted realm identified in Trusted Kerberos Realms, default mapping rules automatically strip the REALM name. To customize the mapping rules, specify additional rules in the Additional Rules to Map Kerberos Principals to Short Names setting, one rule per line. Cloudera Manager will wrap each rule in the appropriate XML tags and add to the generated core-site.xml file. To create custom rules and translate translate mixed-case Kerberos principals to lower-case Hadoop usernames, see Mapping Rule Syntax.

If you specify custom mapping rules for a Kerberos realm using the Additional Rules to Map Kerberos Principals to Short Names setting, ensure that the same realm is not specified in the Trusted Kerberos Realms setting. If it is, the auto-generated rule (which only strips the realm from the principal and does no additional transformations) takes precedent, and the custom rule is ignored.

For these changes to take effect, you must restart the cluster and redeploy the client configuration, as follows:
  1. On the Cloudera Manager Admin Console, Clusters > Cluster-n to choose cluster-wide actions.
  2. From the Actions drop-down button, select Deploy Client Configuration.